All Posts

Open Finance

The EU Data Act Is Already in Effect: What Companies Need to Do Now

The EU Data Act's main obligations are already enforceable. What companies with connected products need to do now to comply and avoid penalties.

The EU Data Act's main provisions became enforceable on September 12, 2025. If your company manufactures, distributes, or provides services related to connected products sold in the EU, you are now legally required to share user-generated data with users and their designated third parties.

Many companies have underestimated the impact. Here is what the Act requires and what you need to do now.

What Is Already Enforceable

Since September 2025, the following obligations are in effect:

  • User data access rights — Users of connected products can request access to the data generated by their use. You must provide it free of charge, in a machine-readable format, without undue delay.
  • Third-party data sharing — Users can direct you to share their data with third parties. You must comply, under FRAND (Fair, Reasonable, and Non-Discriminatory) terms.
  • Unfair contract term prohibition — Contract terms that unfairly restrict a party's access to data generated by connected products are unenforceable for new contracts.
  • Cloud switching obligations — Cloud service providers must remove barriers to switching and enable data portability. Switching charges are limited to cost pass-through.
  • B2G data sharing — Public sector bodies can request data from private holders in cases of public emergency.

What Is Coming Next

DeadlineObligation
September 12, 2026"Data by design" — connected products placed on the market after this date must be designed to make data directly accessible to users from the outset.
January 12, 2027Complete ban on cloud switching charges.
September 12, 2027Unfair contract term rules extend to existing B2B contracts that pre-date September 2025.

Who Is Affected

The Act applies to any company that is a data holder for connected product data in the EU. This primarily means:

  • Manufacturers of connected products — from smart home appliances to industrial machinery to connected vehicles
  • Providers of related services — apps, platforms, and analytics services that process connected product data
  • Cloud service providers — IaaS, PaaS, and SaaS providers with switching and portability obligations

If you design, make, or sell products that connect to the internet and generate data through their use, you are likely in scope.

What the Penalties Look Like

Enforcement is at the member state level. Penalties are significant:

  • Netherlands: Up to EUR 1,030,000 or 10% of EU-wide annual turnover (whichever is higher)
  • Germany (draft): Up to 4% of worldwide annual turnover
  • Where personal data is involved, GDPR penalties may also apply (up to EUR 20 million or 4% of worldwide turnover)

No enforcement actions have been publicly reported as of early 2026. But enforcement frameworks are being established, and the first actions are expected once member state authorities are fully operational. Companies that are clearly non-compliant by mid-2026 face increasing risk.

Why Many Companies Are Not Ready

Several factors have contributed to delayed preparation:

Complexity of the Act. The EU Data Act is a broad regulation with overlapping provisions covering connected products, cloud services, B2G data sharing, and contractual fairness. Many companies have struggled to determine which parts apply to them.

Unclear technical requirements. The Act mandates machine-readable formats and secure channels but does not prescribe specific technical standards. Companies are uncertain about what "good enough" looks like.

Interaction with GDPR. Connected product data often includes personal data (location, usage patterns). Companies need to comply with both the Data Act and GDPR simultaneously, which creates complexity around consent, retention, and processing grounds.

Lagging enforcement. Without visible enforcement, the urgency has been low. This is changing as member states finalize their frameworks.

A Practical Compliance Roadmap

Step 1: Scope Your Obligations (Week 1-2)

  • Identify all connected products you manufacture or provide related services for
  • Map the data each product generates
  • Determine which data falls under the Act's sharing obligations
  • Identify data that qualifies for trade secret protection (allowed under limited conditions)

Step 2: Assess Current Capabilities (Week 2-3)

  • Can users currently access their data? In what format?
  • Can you handle third-party data requests? Do you have consent mechanisms?
  • Do you have audit logging for data access events?
  • What is the gap between your current capabilities and what the Act requires?

Step 3: Choose Your Implementation Approach (Week 3-4)

  • Build — if you have an engineering team experienced in API development, consent management, and security standards
  • Buy — use a managed data provider platform that handles the API layer, consent, security, and audit logging
  • Open-source — use EU-funded tools (Eclipse Dataspace Connector, IDSA components) if you have the in-house expertise

Step 4: Implement (Weeks 4-12)

  • Deploy data access APIs or portals for user access
  • Build consent management for third-party data sharing
  • Implement authentication, authorization, and access controls
  • Set up audit logging and compliance reporting
  • Define and document your FRAND pricing for third-party access

Step 5: Prepare for "Data by Design" (Ongoing)

  • Review your product development roadmap for connected products launching after September 2026
  • Ensure data accessibility is built into the product architecture from the design phase
  • Update product requirements to include Data Act compliance as a baseline

The Case for Acting Now

The absence of enforcement actions today does not mean the risk is zero. Companies that document their compliance efforts now — even if implementation is still in progress — are in a significantly better position than those who have taken no action at all. Demonstrating good-faith effort matters when enforcement begins.

Beyond compliance, companies that build data-sharing infrastructure early gain a competitive advantage. Your customers — whether they are consumers, fleet operators, or industrial users — increasingly expect data access. The companies that deliver it first build trust and loyalty.

Fiskil helps organisations comply with EU Data Act data-sharing obligations through managed API infrastructure, consent management, and audit logging — typically deployable in 6–8 weeks. Talk to us about your compliance needs.

Related articles

EU Data Act for Connected Product Manufacturers: What You Need to Share and How

EU Data Act for Connected Product Manufacturers: What You Need to Share and How

What the EU Data Act requires connected product manufacturers to do. Covers data-sharing obligations, technical requirements, and implementation options.

EU Data Act for Automotive: What OEMs Need to Know About Connected Vehicle Data

EU Data Act for Automotive: What OEMs Need to Know About Connected Vehicle Data

How the EU Data Act affects automotive OEMs and fleet operators. Covers vehicle data obligations, telematics sharing, and compliance requirements.

Building EU Data Act Compliant Data Sharing Infrastructure: A Technical Guide

Building EU Data Act Compliant Data Sharing Infrastructure: A Technical Guide

How to build data-sharing infrastructure that meets EU Data Act requirements. Covers API architecture, consent flows, formats, and security patterns.